The Dark World of Rogue Apps

Ray Lewis has been accused of various crimes in the past. But did you know he might steal your iPhone contacts?

Not Ray personally. But a slew of app developers are using the famed Baltimore Ravens linebacker’s image, along with that of dozens of other NFL stars, to do all sorts of nefarious things to people’s mobile phones, maybe.

For example, there’s the Baltimore Ravens Theme app from Airborne Studios ($1.99). While this app does appear to feature legally licensed imagery from the NFL, users who download the utility after agreeing to its terms of service must give Airborne permission to read all of their contacts. Airborne can even make calls using a person's phone!

And there’s the Baltimore Ravens Wallpaper, an app produced by the prolific developer David Fridman (who produces Wallpaper apps for nearly every NFL and NHL team). Not only is the Wallpaper connection to the league tenuous at best, but the app also requires users' permission to access their phones' GPS (in other words, to find out where they are exactly) and to modify their browser history—and even “allows the app to read the history of all URLs that the browser has visited and all of its bookmarks.”

Sounds a bit excessive, right? Even if these app developers wanted to use some nonidentifiable user data for ad-targeting purposes, a person's name, number and real-life locations seem to be pushing way beyond privacy boundaries.

According to IP Lasso, a startup which tracks and monitors apps across Facebook, Android, Google and Apple’s App Store, there are at least 200 football-themed apps, with an install base of more than 2 million downloads. Some companies, like YinzCam, have license agreements with NFL teams. Others, like Spare Time Ventures, don’t. And licensing violations are just part of the problem.

Spare Time’s Atlanta Falcons by 24-7 Sports app, beside delivering the latest in Falcons news, requires users to agree to allow the app to take pictures and videos using their phone’s camera. “This permission allows the app to use the camera at any time without your confirmation,” reads the app's terms of service. Sure, seems reasonable, right? Spare Time also gets to read your contacts, modify your contacts, and even receive and delete incoming texts.

Similarly, a company called UnSync Soft markets a San Francisco 49ers Wallpaper app that requires users to provide permissions to access their location and email accounts. Another, Dark Studios Apps, pulls GPS location and can even prevent a person's phone from going to sleep. It's up in the air as to whether the league has given Dark Studios permission to use its logo (same for the NBA and NHL).

Scary stuff. It’s not clear what these developers might do with all this personal data. But one guess is that they’d resell it to other marketers, or spammers.

Wait, not so fast! According to Spare Time founder John Wana, his company’s apps don’t need to license anything from the NFL since he’s just aggregating news. “We’re just a blog reader,” he said.

As for the suspicious permissions that Spare Time’s apps require, Wana claimed to know nothing about them. He pointed to a company called PhoneGap, an open source firm that helps developers build apps that work in multiple app stores. Those permissions are standard, and from PhoneGap, Wana claimed.

“We seriously do not want any of that [personal] information,” he said. “We’re just doing this as a fun side project.” PhoneGap was unavailable for comment.

NFL knock-off apps like these are only one prominent example. For example, upon the release of a recent popular movie, the company’s proprietary software found close to 40 bogus apps.

“This happens all the time with any sort of popular or youth-oriented content,” said IP Lasso CEO Reggie Pierce.

According to Pierce, IP Lasso has built a central user interface that pulls info on thousands of apps from all four major app stores. Clients can pay for access to the interface, which flags apps that violate copyright protection and, more importantly, enforce dangerous access requirements, using data from user reviews, multiple databases and popular keywords. The company even caught one app pushing its own bogus search results onto a user's phone, only the tool was masked to look like Bing.

IP Lasso can also send out automated dispute messages to developers, though that can become a game of whack-a-mole. Eventually, companies like Google and Apple can get involved, though no developers have been banned as a result, per Pierce (at least not yet).

The NFL isn’t a client—yet. IP Lasso counts among its customers several TV studios, luxury goods brands and a major record label.

Why are mobile apps so ripe for this sort of counterfeit and scamming? Pierce says people are far more guarded on the desktop. But on their phones, “people blow through their licensing agreements. People are wary of websites, but on their phone these are more trusted environments. The level of scrutiny isn’t there. They think, 'Google or Facebook or whoever must have endorsed this,'” he said.

Ray Lewis has been accused of various crimes in the past. But did you know he might steal your iPhone contacts?

Not Ray personally. But a slew of app developers are using the famed Baltimore Ravens linebacker’s image, along with that of dozens of other NFL stars, to do all sorts of nefarious things to people’s mobile phones, maybe.

For example, there’s the Baltimore Ravens Theme app from Airborne Studios ($1.99). While this app does appear to feature legally licensed imagery from the NFL, users who download the utility after agreeing to its terms of service must give Airborne permission to read all of their contacts. Airborne can even make calls using a person's phone!

And there’s the Baltimore Ravens Wallpaper, an app produced by the prolific developer David Fridman (who produces Wallpaper apps for nearly every NFL and NHL team). Not only is the Wallpaper connection to the league tenuous at best, but the app also requires users' permission to access their phones' GPS (in other words, to find out where they are exactly) and to modify their browser history—and even “allows the app to read the history of all URLs that the browser has visited and all of its bookmarks.”

Sounds a bit excessive, right? Even if these app developers wanted to use some nonidentifiable user data for ad-targeting purposes, a person's name, number and real-life locations seem to be pushing way beyond privacy boundaries.

According to IP Lasso, a startup which tracks and monitors apps across Facebook, Android, Google and Apple’s App Store, there are at least 200 football-themed apps, with an install base of more than 2 million downloads. Some companies, like YinzCam, have license agreements with NFL teams. Others, like Spare Time Ventures, don’t. And licensing violations are just part of the problem.

Spare Time’s Atlanta Falcons by 24-7 Sports app, beside delivering the latest in Falcons news, requires users to agree to allow the app to take pictures and videos using their phone’s camera. “This permission allows the app to use the camera at any time without your confirmation,” reads the app's terms of service. Sure, seems reasonable, right? Spare Time also gets to read your contacts, modify your contacts, and even receive and delete incoming texts.

Similarly, a company called UnSync Soft markets a San Francisco 49ers Wallpaper app that requires users to provide permissions to access their location and email accounts. Another, Dark Studios Apps, pulls GPS location and can even prevent a person's phone from going to sleep. It's up in the air as to whether the league has given Dark Studios permission to use its logo (same for the NBA and NHL).

Scary stuff. It’s not clear what these developers might do with all this personal data. But one guess is that they’d resell it to other marketers, or spammers.

Wait, not so fast! According to Spare Time founder John Wana, his company’s apps don’t need to license anything from the NFL since he’s just aggregating news. “We’re just a blog reader,” he said.

As for the suspicious permissions that Spare Time’s apps require, Wana claimed to know nothing about them. He pointed to a company called PhoneGap, an open source firm that helps developers build apps that work in multiple app stores. Those permissions are standard, and from PhoneGap, Wana claimed.

“We seriously do not want any of that [personal] information,” he said. “We’re just doing this as a fun side project.” PhoneGap was unavailable for comment.

NFL knock-off apps like these are only one prominent example. For example, upon the release of a recent popular movie, the company’s proprietary software found close to 40 bogus apps.

“This happens all the time with any sort of popular or youth-oriented content,” said IP Lasso CEO Reggie Pierce.

According to Pierce, IP Lasso has built a central user interface that pulls info on thousands of apps from all four major app stores. Clients can pay for access to the interface, which flags apps that violate copyright protection and, more importantly, enforce dangerous access requirements, using data from user reviews, multiple databases and popular keywords. The company even caught one app pushing its own bogus search results onto a user's phone, only the tool was masked to look like Bing.

IP Lasso can also send out automated dispute messages to developers, though that can become a game of whack-a-mole. Eventually, companies like Google and Apple can get involved, though no developers have been banned as a result, per Pierce (at least not yet).

The NFL isn’t a client—yet. IP Lasso counts among its customers several TV studios, luxury goods brands and a major record label.

Why are mobile apps so ripe for this sort of counterfeit and scamming? Pierce says people are far more guarded on the desktop. But on their phones, “people blow through their licensing agreements. People are wary of websites, but on their phone these are more trusted environments. The level of scrutiny isn’t there. They think, 'Google or Facebook or whoever must have endorsed this,'” he said.